Microsoft is working on also adding automatic phishing to enterprise in-org forms after previously rolling out Microsoft Forms proactive phishing prevention for public forms in July.
Microsoft Forms is one of the offers available through the Office 365 cloud-based subscription service and it is designed to enable customers to create online quizzes, surveys, and polls for collecting feedback and data.
“In order to make Forms a more secure service, we have enabled automatic phishing detection on all public forms in July,” says a new Microsoft 365 Roadmap update. “Now we’d like to provide this feature to enterprise in-org forms as well for better protection.”
Just as the version that rolled out in July to target public forms, it should use automated machine reviews to “proactively detect malicious password collection in forms and surveys” to block phishers from abusing the Microsoft Forms app for phishing pages creation.
The new phishing protection for enterprise in-org forms is currently in development and it comes with an estimated time of arrival of September 2019.
Microsoft Forms phishing a growing trend
The addition of Microsoft Forms automated phishing protection couldn’t have come sooner given that attacks abusing the app are increasingly more common among scammers since it was released on June 2016, with new campaigns being more frequently spotted each year. [1, 2, 3, 4]
While previously, individuals targeted by Microsoft Forms-based phishing did not have a direct way of reporting such attack to Redmond’s Microsoft Phishing Analysis and Microsoft Spam Analysis teams, users can now use the “Report Abuse” link under “Submit” button at the bottom of online forms.
“If you suspect a form or survey you’ve received is attempting to collect passwords or other sensitive information in Microsoft Forms, report it to help prevent yours and other’s private information from getting compromised,” states Microsoft.
Before this new report process was implemented, the Microsoft Security team recommended users to pick one of the methods described in a support document about how to send spam, non-spam, and phishing scam samples to Microsoft for analysis.
Besides adding the new reporting tool, Redmond also advises users to never provide sensitive personal info via online surveys as the best possible approach for protecting oneself from phishing attacks.
In related news, phishing attacks have seen a 250% increase during last year, with phishers moving to multiple points of attack during the same campaign, as well as shifting between domains and servers when hosting phishing landing pages and sending phishing e-mails as per Microsoft’s Security Intelligence Report (SIR) Volume 24 published in March.
These stats were the direct result of scanning and examining over 470 billion emails sent and received by Microsoft’s Office 365 customers, which gave Redmond a bird’s eye view over the evolution of both phishing trends and methods.